Stack overflow detection
Setup
Retrieve the program uppercase.c, compile it (recommended compiler options for this session are: -g -O0 -Wall -Wextra
), and run it, e.g., like this:
$ gcc -g -O0 -Wall -Wextra -o uppercase uppercase.c
$ ./uppercase 'Hello, World!'
HELLO, WORLD!
Now take some time to study the code of the program.
Exercise 2.a: the program is affected by a memory-related bug (EEEK!). Explain where the bug is, what its consequences might be, and how to fix it.
Static analysis with Clang-Tidy
Clang-Tidy (which you have installed already, as part of last week's lab session) performs some simple static analysis checks, ranging from basic linting to more advanced techniques. From the tool documentation:
clang-tidy is a clang-based C++ “linter” tool. Its purpose is to provide an extensible framework for diagnosing and fixing typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static analysis.
Exercise 2.b: go (briefly) through the documentation of clang-tidy
and learn how to use it to analyze C source code files.
Then use clang-tidy
on uppercase.c
to check if it detects the bug you have identified in the previous exercise.
Does clang-tidy
catch the problem?
Based on what you have learned in last lecture, explain why clang-tidy
is capable to identify the problem or why it isn't.
Dynamic analysis with Valgrind
Clang-Tidy performs static analysis, Valgrind on the other hand performs dynamic analysis, based on dynamic binary re-compilation, as we have seen in last lecture. Let's see how Valgrind fares in detecting the bug with this program. After compiling your program, we can give it a try like this:
$ valgrind [--tool=memcheck] ./uppercase 'Hello, World!'
(Note: --tool=memcheck
is optional because Memcheck is the default tool that Valgrind uses unless otherwise requested.)
Exercise 2.c: does Valgrind detect the issue? Based on what you have learned in last lecture, explain why or why not.
Exercise 2.d: benchmark the time required to execute the program with and without Valgrind.
(Tip: as a simple way to do that you can use the standard UNIX time
command.
If you want to be fancier, this is your chance to learn about the amazing benchmarking tool Hyperfine and use it for a more scientifically accurate comparison.)
Dynamic analysis with LLVM sanitizers
As we have seen in last lecture, dynamic analysis can also be performed via source code instrumentation, which happens at compile time to add runtime checks. As we have seen LLVM sanitizers (look for the various entries with "Sanitizer" in their name in the Clang documentation) are a set of plugins for the Clang compiler that do that.
Exercise 2.e: change the compiler you are using to build from gcc
to clang
and first rebuild the program with it. (You can pass the same options suggested above, as they are compatible between the two compilers.)
Then, add all of the following sanitizers (check the documentation for how to do that) and rebuild the program: AddressSanitizer, LeakSanitizer, UndefinedBehaviorSanitizer.
Compare the size of the executables built with and without sanitizers. How different are they and why?
Exercise 2.f: run the instrumented program. Do sanitizers detect the issue? Based on what you have learned in last lecture, explain why or why not.
Let's streamline our build process a bit, as it is becoming a bit of a mess.
Retrieve the generic Makefile we make available for building the programs associated to this lab session.
If you are not familiar with Makefiles, go (briefly) through the GNU make documentation to make sure you know the basics.
In particular, read through the introductory material and make sure you understand the parts of Makefile syntax used in the given Makefile
, in particular: rules, variables, and static pattern rules.
(If you know about Makefiles already, feel free to skip this documentation study part.)
Exercise 2.g: change the retrieved Makefile so that:
- it only builds the
uppercase.c
programs (other programs mentioned in there will arrive later in this lab session!), and - passes the sanitizer flags to the compiler when compiling.
Recheck the result of the previous exercise about sanitizers to make sure they are there when building with make
.